Question 1

What is CPCSC Level 1 and which Canadian defence contractors need it?

Accepted Answer

CPCSC (Canadian Program for Cyber Security Certification) Level 1 is a mandatory cybersecurity certification for Canadian defence contractors handling Low-Sensitivity Specified Information under contracts with DND (Department of National Defence) or PSPC (Public Services and Procurement Canada). Based on ITSP.10.171 (Canada's adaptation of NIST SP 800-171 Rev 3) published by CCCS (Canadian Centre for Cyber Security), Level 1 requires annual self-assessment and becomes mandatory Spring 2026. Contractors without CPCSC Level 1 certification cannot bid on contracts where the RFP specifies CPCSC as a condition of award.

Question 2

How long does CPCSC Level 1 implementation take for Canadian defence contractors?

Accepted Answer

CPCSC (Canadian Program for Cyber Security Certification) Level 1 implementation commonly takes 3-6 months or more for small Canadian defence contractors (10-50 employees), though actual timelines vary based on starting security posture and available resources. Timeline typically includes: gap analysis against ITSP.10.171 (13 controls) (2-4 weeks), technical control implementation including network segmentation and MFA (2-3 months), policy development (3-4 weeks), staff training (2-3 weeks), and self-assessment preparation using PSPC-provided tools (2-3 weeks). A structured methodology can help streamline this timeline through pre-configured ITSP.10.171 control templates. Starting CPCSC implementation now positions you ahead of the Spring 2026 mandatory deadline and avoids last-minute resource competition.

Question 3

How much does CPCSC Level 1 implementation cost for small contractors?

Accepted Answer

CPCSC (Canadian Program for Cyber Security Certification) Level 1 implementation costs vary significantly based on organisation size, existing security posture, and whether you take a DIY or consultant-supported approach. Key cost areas include: technical infrastructure (network segmentation equipment, security tools, MFA), professional services for gap analysis and implementation guidance if using a consultant, and internal labour (project management, IT implementation, documentation). Level 1 uses self-assessment (no 3PAO fees). Annual maintenance covers recertification effort plus tool subscriptions. Pilotcore's fixed-scope engagements can reduce budget uncertainty with a scoped estimate based on your baseline and contract scope before starting, plus documented change-control checkpoints if scope shifts. Book a consultation for a personalised estimate based on your environment.

Question 4

Can Canadian companies implement CPCSC themselves or do they need a consultant?

Accepted Answer

Canadian defence contractors can implement CPCSC (Canadian Program for Cyber Security Certification) Level 1 themselves if they have: senior IT security expertise familiar with ITSP.10.171, understanding of CCCS (Canadian Centre for Cyber Security) requirements, significant engineering capacity for implementation, and experience with compliance documentation. Most small contractors (10-50 employees) benefit from consultant support because: ITSP.10.171 has 110 detailed practices (13 for Level 1) requiring interpretation, PSPC self-assessment tools require specific documentation formats, implementation mistakes discovered during assessment require expensive rework, and consultants can help compress the learning curve. Pilotcore offers hybrid approach: consultant for gap analysis and roadmap, internal team for implementation with Pilotcore guidance and pre-configured templates.

Question 5

How does CPCSC differ from CMMC for companies working with both Canadian and US defence?

Accepted Answer

CPCSC (Canadian Program for Cyber Security Certification) applies to Canadian DND (Department of National Defence)/PSPC (Public Services and Procurement Canada) contracts while CMMC (Cybersecurity Maturity Model Certification) applies to US DoD (Department of Defense) contracts. Both derive from NIST SP 800-171 baseline, but CPCSC uses ITSP.10.171 (based on Rev 3, 2024) while CMMC uses Rev 2 (2021). Assessment bodies differ: Canadian 3PAOs (Third-Party Assessment Organisations, Standards Council of Canada accredited) vs US C3PAOs (CMMC Third-Party Assessment Organisations, Cyber-AB accredited). Information classifications differ: CPCSC protects Protected A/B/C and Specified Information, CMMC protects CUI (Controlled Unclassified Information). Timeline differs: CPCSC Level 1 mandatory Spring 2026, CMMC Level 2 phased rollout 2026-2028. No reciprocity agreement exists yet. Cross-border contractors need both certifications but can leverage shared control implementation (significant overlap) for cost efficiency. Pilotcore helps cross-border contractors leverage shared infrastructure between CPCSC and CMMC, which may help reduce total compliance costs compared to treating them as separate initiatives. We implement unified controls that satisfy both frameworks, eliminating duplicate effort.

Pass PSPC Level 1 Assessment Without Delays

How Pilotcore Prepares You for CPCSC Certification

Gap Analysis Against ITSP.10.171

Technical Control Implementation

Policies, Procedures & SSP

Assessment Readiness & Team Training

Canadian defence expertise your 3PAO will recognise

Book a Free CPCSC Gap Assessment Call

Frequently Asked Questions About CPCSC Compliance

What is CPCSC Level 1 and which Canadian defence contractors need it?

How long does CPCSC Level 1 implementation take for Canadian defence contractors?

How much does CPCSC Level 1 implementation cost for small contractors?

Can Canadian companies implement CPCSC themselves or do they need a consultant?

How does CPCSC differ from CMMC for companies working with both Canadian and US defence?

Ready to Move Forward?

CPCSC Readiness Review